Perform the following tasks to configure various aspects of NAT. In addition to the examples below, there are examples in the section NAT Configuration Examples.
The NAT example in this section is based on the following topology:
Based on this topology, there are three NAT policies we need to create as follows:
To enable the clients on the internal network to access resources on the internet, the internal 192.168.1.0 addresses will need to be translated to publicly routable addresses. In this case, we will configure source NAT (the purple enclosure and arrow above), using the egress interface address, 203.0.113.100, as the source address in all packets that leave the firewall from the internal zone. See Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT) for instructions. To enable clients on the internal network to access the public web server in the DMZ zone, we must configure a NAT rule that redirects the packet from the external network, where the original routing table lookup will determine it should go based on the destination address of 203.0.113.11 within the packet, to the actual address of the web server on the DMZ network of 10.1.1.11. To do this you must create a NAT rule from the trust zone (where the source address in the packet is) to the untrust zone (where the original destination address is) to translate the destination address to an address in the DMZ zone. This type of destination NAT is called U-Turn NAT (the yellow enclosure and arrow above). See Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT) for instructions. To enable the web server—which has both a private IP address on the DMZ network and a public-facing address for access by external users—to both send and receive requests, the firewall must translate the incoming packets from the public IP address to the private IP address and the outgoing packets from the private IP address to the public IP address. On the firewall, you can accomplish this with a single bi-directional static source NAT policy (the green enclosure and arrow above). See Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT).
Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
When a client on your internal network sends a request, the source address in the packet contains the IP address for the client on your internal network. If you use private IP address ranges internally, the packets from the client will not be able to be routed on the internet unless you translate the source IP address in the packets leaving the network into a publicly routable address.
On the firewall you can do this by configuring a source NAT policy that translates the source address (and optionally the port) into a public address. One way to do this is to translate the source address for all packets to the egress interface on your firewall, as shown in the following procedure.
Configure Source NAT
Create an address object for the external IP address you plan to use. Select Objects > Addresses and then click Add. Enter a Name and optional Description for the object. Select IP Netmask from the Type drop-down and then enter the IP address of the external interface on the firewall, 203.0.113.100 in this example. To save the address object, click OK. Although you do not have to use address objects in your policies, it is a best practice because it simplifies administration by allowing you to make updates in one place rather than having to update every policy where the address is referenced.
Create the NAT policy. Select Policies > NAT and click Add. On the General tab, enter a descriptive Name for the policy. ( Optional ) Enter a tag, which is a keyword or phrase that allows you to sort or filter policies. For NAT Type, select ipv4 (default). On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop-down. On the Translated Packet tab, select Dynamic IP And Port from the Translation Type drop-down in the Source Address Translation section of the screen. For Address Type, there are two choices. You could select Translated Address and then click Add. Select the address object you just created. An alternative Address Type is Interface Address, in which case the translated address will be the IP address of the interface. For this choice, you would select an Interface and optionally an IP Address if the interface has more than one IP address. Click OK to save the NAT policy.
Save the configuration. Click Commit.
( Optional ) Access the CLI to verify the translation. Use the show session all command to view the session table, where you can verify the source IP address and port and the corresponding translated IP address and port. Use the show session id <id_number> to view more details about a session. If you configured Dynamic IP NAT, use the show counter global filter aspect session severity drop | match nat command to see if any sessions failed due to NAT IP allocation. If all of the addresses in the Dynamic IP NAT pool are allocated when a new connection is supposed to be translated, the packet will be dropped.
Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
When a user on the internal network sends a request for access to the corporate web server in the DMZ, the DNS server will resolve it to the public IP address. When processing the request, the firewall will use the original destination in the packet (the public IP address) and route the packet to the egress interface for the untrust zone. In order for the firewall to know that it must translate the public IP address of the web server to an address on the DMZ network when it receives requests from users on the trust zone, you must create a destination NAT rule that will enable the firewall to send the request to the egress interface for the DMZ zone as follows.
Configure U-Turn NAT
Create an address object for the web server. Select Objects > Addresses and click Add. Enter a Name and optional Description for the object. Select IP Netmask from the Type drop-down and enter the public IP address of the web server, 203.0.113.11 in this example. Click OK.
Create the NAT policy. Select Policies > NAT and click Add. On the General tab, enter a descriptive Name for the NAT rule. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop-down. In the Destination Address section, click Add and select the address object you created for your public web server. On the Translated Packet tab, select Destination Address Translation and then enter the IP address that is assigned to the web server interface on the DMZ network, 10.1.1.11 in this example. Click OK to save the NAT policy.
Save the configuration. Click Commit.
Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
When your public-facing servers have private IP addresses assigned on the network segment where they are physically located, you need a source NAT rule to translate the source address of the server to the external address upon egress. You create a static NAT rule to translate the internal source address, 10.1.1.11, to the external web server address, 203.0.113.11 in our example.
However, a public-facing server must be able to both send and receive packets. You need a reciprocal policy that translates the public address (the destination IP address in incoming packets from internet users) into the private address so that the firewall can route the packet to your DMZ network. You create a bi-directional static NAT rule, as described in the following procedure. Bi-directional translation is an option for static NAT only.
Configure Bi-Directional NAT
Create an address object for the web server’s internal IP address. Select Objects > Addresses and click Add. Enter a Name and optional Description for the object. Select IP Netmask from the Type drop-down and enter the IP address of the web server on the DMZ network, 10.1.1.11 in this example. Click OK. If you did not already create an address object for the public address of your web server, you should create that object now.
Create the NAT policy. Select Policies > NAT and click Add. On the General tab, enter a descriptive Name for the NAT rule. On the Original Packet tab, select the zone you created for your DMZ in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop-down. In the Source Address section, click Add and select the address object you created for your internal web server address. On the Translated Packet tab, select Static IP from the Translation Type drop-down in the Source Address Translation section and then select the address object you created for your external web server address from the Translated Address drop-down. In the Bi-directional field, select Yes. Click OK to save the NAT policy.
Save the configuration. Click Commit.
Modify the Oversubscription Rate for DIPP NAT
If you have enough public IP addresses that you do not need to use DIPP NAT oversubscription, you can reduce the oversubscription rate and thereby gain more DIP and DIPP NAT rules allowed.
Set NAT Oversubscription
View the DIPP NAT oversubscription rate. Select Device > Setup > Session > Session Settings. View the NAT Oversubscription Rate setting.
Set the DIPP NAT oversubscription rate. Edit the Session Settings section. In the NAT Oversubscription Rate drop-down, select 1x, 2x, 4x, or 8x, depending on which ratio you want. The Platform Default setting applies the default oversubscription setting for the platform. If you want no oversubscription, select 1x. Click OK and Commit the change.
Disable NAT for a Specific Host or Interface
Both source NAT and destination NAT rules can be configured to disable address translation. You may have exceptions where you do not want NAT to occur for a certain host in a subnet or for traffic exiting a specific interface. The following procedure shows how to disable source NAT for a host.
Create a Source NAT Exemption
Create the NAT policy. Select Policies > NAT and click Add. Enter a descriptive Name for the policy. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop-down. For Source Address, click Add and enter the host address. Click OK. On the Translated Packet tab, select None from the Translation Type drop-down in the Source Address Translation section of the screen. Click OK to save the NAT policy.
Save the configuration. Click Commit.
NAT rules are processed in order from the top to the bottom, so place the NAT exemption policy before other NAT policies to ensure it is processed before an address translation occurs for the sources you want to exempt.
Reserve Dynamic IP NAT Addresses
You can reserve Dynamic IP NAT addresses (for a configurable period of time) to prevent them from being allocated as translated addresses to a different source IP address that needs translation. When configured, the reservation applies to all of the translated Dynamic IP addresses in progress and any new translations.
For both translations in progress and new translations, when a source IP address is translated to an available translated IP address, that pairing is retained even after all sessions related to that specific source IP are expired. The reservation timer for each source IP address begins after all sessions that use that source IP address translation expire. Dynamic IP NAT is a one-to-one translation; one source IP address translates to one translated IP address that is chosen dynamically from those addresses available in the configured pool. Therefore, a translated IP address that is reserved is not available for any other source IP address until the reservation expires because a new session has not started. The timer is reset each time a new session for a source IP/translated IP mapping begins, after a period when no sessions were active.
By default, no addresses are reserved. You can reserve Dynamic IP NAT addresses for the firewall or for a virtual system.
Reserve Dynamic IP NAT Addresses
Reserve dynamic IP NAT addresses for a firewall. Enter the following commands: admin@PA-3020# set setting nat reserve-ip yes admin@PA-3020# set setting nat reserve-time <1-604800 secs>
Reserve dynamic IP NAT addresses for a virtual system. Enter the following commands: admin@PA-3020# set vsys <vsysid> setting nat reserve-ip yes admin@PA-3020# set vsys <vsysid> setting nat reserve-time <1-604800 secs>
For example, suppose there is a Dynamic IP NAT pool of 30 addresses and there are 20 translations in progress when the nat reserve-time is set to 28800 seconds (8 hours). Those 20 translations are now reserved, so that when the last session (of any application) that uses each source IP/translated IP mapping expires, the translated IP address is reserved for only that source IP address for 8 hours, in case that source IP address needs translation again. Additionally, as the 10 remaining translated addresses are allocated, they each are reserved for their source IP address, each with a timer that begins when the last session for that source IP address expires.
In this manner, each source IP address can be repeatedly translated to its same NAT address from the pool; another host will not be assigned a reserved translated IP address from the pool, even if there are no active sessions for that translated address.
Suppose a source IP/translated IP mapping has all of its sessions expire, and the reservation timer of 8 hours begins. After a new session for that translation begins, the timer stops, and the sessions continue until they all end, at which point the reservation timer starts again, reserving the translated address.
The reservation timer remain in effect on the Dynamic IP NAT pool until you disable it by entering the set setting nat reserve-ip no command or you change the nat reserve-time to a different value.
The CLI commands for reservations do not affect Dynamic IP and Port (DIPP) or Static IP NAT pools.

Related Documentation